After stepping through the code, I found the code that is switching the window.location.protocol to https://, but I'm not sure why. In the file jimu.js/shared/ConfigManager.js, there's a method called _processNotInPortalAppProtocol. It looks like it's comparing the organization's ArcGISOnline portal url to the current url. It then switches the window.location.protocol to https in line 436 if the portal url is secured, but the current url isn't.
I'm going to try to find the source of the portal url, and attempt to change it to http:// to test if that works.